What does “residual risk” mean?
A.
The security risk that remains after controls have been implemented
B.
Weakness of an asset which can be exploited by a threat
C.
Risk that remains after risk assessment has been performed
D.
A security risk intrinsic to an asset being audited, where no mitigation has taken place.
Explanation:
The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. No
system or environment is 100 percent secure, which means there is always some risk left over to deal with.
This is called residual risk.
Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any
type of safeguard.
There is an important difference between total risk and residual risk and which type of risk a company is willing
to accept. The following are conceptual formulas:
threats × vulnerability × asset value = total risk
(threats × vulnerability × asset value) × controls gap = residual risk
You may also see these concepts illustrated as the following:
total risk – countermeasures = residual risk
Incorrect Answers:
B: The weakness of an asset which can be exploited by a threat is not the definition of residual risk.
C: Risk that remains after risk assessment has been performed (with no countermeasures in place) is total risk,
not residual risk.
D: A security risk intrinsic to an asset being audited, where no mitigation has taken place) is total risk of the
asset, not residual risk.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 87